cd593674e99b216838068aea9b7bc109e328c6bc6a5647ddadaabdbf0066a903

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 02:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd593674e99b216838068aea9b7bc109e328c6bc6a5647ddadaabdbf0066a903.exe
Size

96KB
MD5

6e9174ac7065f00de35c1f07d0cea821
SHA1

24ff36cb69effda10d6137db79428c7c87841e54
SHA256

cd593674e99b216838068aea9b7bc109e328c6bc6a5647ddadaabdbf0066a903
SHA512

d1fc49028ec62be866e6e015c3a813b777719da15cbf87f3f45aae1df354673f371b503c5b7baa910f8d11866f085500722043b6b857548efc2e6422f423d416
SSDEEP

3072:lbjgjXxdWBhMwRFy2Rk/kcIAebPph/ATvYKyUDI7Lur9:lfAXxd0qf2L/ATvryOI7a9

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	cmd.exe

Deletes itself 1 IoCs

pid	Process
1548	WScript.exe

Executes dropped EXE 6 IoCs

pid	Process
1328	rMX.exe
2008	rMX.exe.exe
2272	rMX.exe
4328	rMX.exe
4808	rMX.exe
728	rMX.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4328-20-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/4328-30-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/4328-34-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/4328-35-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/4328-22-0x0000000010000000-0x000000001002A000-memory.dmp	upx
behavioral2/memory/4328-21-0x0000000010000000-0x000000001002A000-memory.dmp	upx

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2272 set thread context of 4328	2272	rMX.exe	92
PID 2272 set thread context of 4808	2272	rMX.exe	93
PID 2272 set thread context of 728	2272	rMX.exe	94

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\nk.txt	cmd.exe
File created	C:\WINDOWS\VWFLH\rMX.exe	rMX.exe.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	rMX.exe.exe
File created	\??\c:\windows\rMX.exe.bat	rMX.exe
File created	C:\WINDOWS\VWFLH\rMX.exe	cd593674e99b216838068aea9b7bc109e328c6bc6a5647ddadaabdbf0066a903.exe
File created	\??\c:\windows\rMX.exe.bat	rMX.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe
File opened for modification	C:\WINDOWS\VWFLH\rMX.exe	cd593674e99b216838068aea9b7bc109e328c6bc6a5647ddadaabdbf0066a903.exe
File created	C:\WINDOWS\VWFLH\rMX.exe.exe	rMX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3116	728	WerFault.exe	94
4688	4808	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cd593674e99b216838068aea9b7bc109e328c6bc6a5647ddadaabdbf0066a903.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rMX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4328	rMX.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 1328	3608	cd593674e99b216838068aea9b7bc109e328c6bc6a5647ddadaabdbf0066a903.exe	83
PID 3608 wrote to memory of 1328	3608	cd593674e99b216838068aea9b7bc109e328c6bc6a5647ddadaabdbf0066a903.exe	83
PID 3608 wrote to memory of 1328	3608	cd593674e99b216838068aea9b7bc109e328c6bc6a5647ddadaabdbf0066a903.exe	83
PID 1328 wrote to memory of 1852	1328	rMX.exe	84
PID 1328 wrote to memory of 1852	1328	rMX.exe	84
PID 1328 wrote to memory of 1852	1328	rMX.exe	84
PID 1328 wrote to memory of 2364	1328	rMX.exe	85
PID 1328 wrote to memory of 2364	1328	rMX.exe	85
PID 1328 wrote to memory of 2364	1328	rMX.exe	85
PID 3608 wrote to memory of 3384	3608	cd593674e99b216838068aea9b7bc109e328c6bc6a5647ddadaabdbf0066a903.exe	86
PID 3608 wrote to memory of 3384	3608	cd593674e99b216838068aea9b7bc109e328c6bc6a5647ddadaabdbf0066a903.exe	86
PID 3608 wrote to memory of 3384	3608	cd593674e99b216838068aea9b7bc109e328c6bc6a5647ddadaabdbf0066a903.exe	86
PID 2364 wrote to memory of 2008	2364	cmd.exe	90
PID 2364 wrote to memory of 2008	2364	cmd.exe	90
PID 2364 wrote to memory of 2008	2364	cmd.exe	90
PID 2008 wrote to memory of 2272	2008	rMX.exe.exe	91
PID 2008 wrote to memory of 2272	2008	rMX.exe.exe	91
PID 2008 wrote to memory of 2272	2008	rMX.exe.exe	91
PID 2272 wrote to memory of 4328	2272	rMX.exe	92
PID 2272 wrote to memory of 4328	2272	rMX.exe	92
PID 2272 wrote to memory of 4328	2272	rMX.exe	92
PID 2272 wrote to memory of 4328	2272	rMX.exe	92
PID 2272 wrote to memory of 4328	2272	rMX.exe	92
PID 2272 wrote to memory of 4328	2272	rMX.exe	92
PID 2272 wrote to memory of 4328	2272	rMX.exe	92
PID 2272 wrote to memory of 4328	2272	rMX.exe	92
PID 2272 wrote to memory of 4808	2272	rMX.exe	93
PID 2272 wrote to memory of 4808	2272	rMX.exe	93
PID 2272 wrote to memory of 4808	2272	rMX.exe	93
PID 2272 wrote to memory of 4808	2272	rMX.exe	93
PID 2272 wrote to memory of 728	2272	rMX.exe	94
PID 2272 wrote to memory of 728	2272	rMX.exe	94
PID 2272 wrote to memory of 728	2272	rMX.exe	94
PID 2272 wrote to memory of 728	2272	rMX.exe	94
PID 2008 wrote to memory of 444	2008	rMX.exe.exe	96
PID 2008 wrote to memory of 444	2008	rMX.exe.exe	96
PID 2008 wrote to memory of 444	2008	rMX.exe.exe	96
PID 444 wrote to memory of 1316	444	cmd.exe	102
PID 444 wrote to memory of 1316	444	cmd.exe	102
PID 444 wrote to memory of 1316	444	cmd.exe	102
PID 3384 wrote to memory of 1548	3384	cmd.exe	103
PID 3384 wrote to memory of 1548	3384	cmd.exe	103
PID 3384 wrote to memory of 1548	3384	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\cd593674e99b216838068aea9b7bc109e328c6bc6a5647ddadaabdbf0066a903.exe
"C:\Users\Admin\AppData\Local\Temp\cd593674e99b216838068aea9b7bc109e328c6bc6a5647ddadaabdbf0066a903.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608
- C:\WINDOWS\VWFLH\rMX.exe
  C:\WINDOWS\VWFLH\rMX.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c echo 0>>c:\windows\nk.txt
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\WINDOWS\VWFLH\rMX.exe.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\WINDOWS\VWFLH\rMX.exe.exe
      C:\WINDOWS\VWFLH\rMX.exe.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2008
    - - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2272
      - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
      - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        6⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 80
        7⤵
        Program crash
        
        PID:4688
      - C:\WINDOWS\VWFLH\rMX.exe
        
        C:\WINDOWS\VWFLH\rMX.exe
        6⤵
        Executes dropped EXE
        
        PID:728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 80
        7⤵
        Program crash
        
        PID:3116
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c c:\35.vbs
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\35.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\24.vbs
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3384
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\24.vbs"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4808 -ip 4808
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 728 -ip 728
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\24.vbs

Filesize
236B

MD5
ea81e3aa5035052f44c4e85b2518683f

SHA1
f934ef6cb584da535e78d4148d694afd6a83715d

SHA256
6530ea43f87a20052a58297350824bca962cc93b0392486d696e7c5aaa71a1ea

SHA512
fca0f0578b5dc50998f4d74a5e970ab38aae62f81506adc705d1ca93a90f7ba80c97132eb1aee357ea928a3ab503939890bb2f6c21a75b795bd3c4f30ed93497

Download Submit
C:\35.vbs

Filesize
162B

MD5
3cfc506ef940635c56f439afb15dc90d

SHA1
23b7f25457b3937e3b4c8913e0c7b7e23dfed8c8

SHA256
dae7f636f35b0e5e6c33336e0a4acd5815a646be0d307cf8265fee9ab205b7d9

SHA512
56948edbb4f8fe904d8e7a4be701344b098090633fa482c67c05cc68e92db83ef1ca4f4474343027d9fcf6ccfa677c0c4e5187be989ac698869b5ef145d4326d

Download Submit
C:\Windows\VWFLH\rMX.exe

Filesize
96KB

MD5
6e9174ac7065f00de35c1f07d0cea821

SHA1
24ff36cb69effda10d6137db79428c7c87841e54

SHA256
cd593674e99b216838068aea9b7bc109e328c6bc6a5647ddadaabdbf0066a903

SHA512
d1fc49028ec62be866e6e015c3a813b777719da15cbf87f3f45aae1df354673f371b503c5b7baa910f8d11866f085500722043b6b857548efc2e6422f423d416

Download Submit
C:\Windows\VWFLH\rMX.exe.exe

Filesize
96KB

MD5
4a3e084777821ad0e497b25097634fb3

SHA1
00212d119a5aae0475c59ba7b272cfdfa117358a

SHA256
33a2b4eb1cfd3cc1a4b18de8f0a3024d8aa25e18ac29309404a76435fc83019e

SHA512
1dbbb643356fc2e0ac63693e8bc21ecf67f25b2f8f5d4a895a2862fb46b7dbe6c517c855941974756337b1c3a35d51c52d6213571629dec5f6f66d32ed2a67d2

Download Submit
memory/1328-9-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/2008-33-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/2272-32-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/3608-10-0x000000007EEE0000-0x000000007EEFF000-memory.dmp

Filesize
124KB

Download
memory/4328-30-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/4328-34-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/4328-35-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/4328-22-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/4328-21-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/4328-20-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download